DNSSEC adds a layer of security to the DNS:
1.It confirms the authority of the originator of data sent by the DNS Server.(that the information is coming from the correct source)
2.It confirms the integrity of the data from the DNS Server(that the information you received is the same information that was sent.)
3.It provides authenticated denial of existence when the information the client trying to access do not exist.
It is not a complete solution as it do not provide confidentiality of data returned by the DNS Server,and it does not protect against denial of service attacks.
Basic support for DNSSEC was introduced in Windows Server 2003 to allow DNS servers to act as secondary DNS servers for existing DNSSEC compliant secure zones.It were not capable of signing zones and resource records or validating the Signature resource records,also all DNSSEC configuration had to be made by editing the registry on DNS Servers.
In Windows Server 2008R2 it was enhanced,but limited by being intended as a solution only for file-backed,static zones and not for Active Directory integrated zones.
Windows Server 2012 includes full DNSSEC support for Active Directory integrated DNS,including DNS dynamic updates in DNSSEC signed zones,automated trust anchor distribution through Active Directory, automated trust anchor rollover support and validation of records signed with updated DNS standards (NSEC3,RSA/SHA-2) and support for PowerShell.
Windows 7 and Windows Server 2008R2 is DNSSEC aware but nonvalidating meaning that the DNS clients can examine a response it receives to determine whether the response has been validated ,but the client can not itself validate the response it recives,this means that you should use some other method such as IPSec to secure the communication all the way.
DNSSEC clients in Windows 8 and Server 2012 is still DNSSEC aware but nonvalidating,so you should still use IPSec to secure the network connection.